Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Crowdsourcing Finding its Security Sweet Spot

Private and commercial businesses are starting to find some comfort in crowdsourcing security research into application vulnerabilities,.

Pulling in security help on a project has traditionally meant either hiring more full-time help, or bringing in an outside consultant. Enterprises and vendors alike, however, are starting to really go outside the perimeter these days and are taking advantage of crowdsourcing.

Given the paranoia in the industry, putting out an open call to find vulnerabilities in an application, for example, seems like a thought that would never get off the ground. But more organizations are giving it a shot—and no project seems out of scope. Plans are in the works to crowdsource some of the remaining cryptanalysis in the TrueCrypt audit, and companies such as HP and Microsoft have built platforms for threat intelligence sharing that facilitate the phenomenon.

Bugcrowd is a relatively young company whose business model is crowdsourcing vulnerability discovery and management by providing the platform, research community and monetary rewards to do so. Ellis said crowdsourcing corrects the fundamental imbalance between attackers and defenders.

Ellis points out that attackers, whether they’re opportunistic criminals or focused nation states interested in espionage, are a large group with a diverse skill set. In-house help and consultants, while skilled, cannot match the diversity posed by the opposition, he said.

“They can be good at what they do, but the fact is that there’s not a large group of them. It puts companies at a fundamental disadvantage,” Ellis said. “Where the economics comes into it, is that it’s impossible to hire everyone by the hour. By bringing in crowdsourced results based on an incentive model, it’s the most logical way to get things done.”

Bugcrowd, which has 9,500 researchers registered in its network, today announced the public availability of its Flex Bounty Program, which has been used internally for some time with customers, Ellis said. It’s structured to look like a penetration test where the customer sets a fixed time frame for results, as well as the scope of the engagement, and how much the bounty will be. Ellis said a recent customer required a pen test for compliance with the Payment Card Industry Data Security Standard (PCI-DSS). The flex program was carried out in a 24-hour period where 50 participants from Bugcrowd’s pool hammered away at an application, essentially getting the same number of man-hours as a two to three week engagement.

Success, Ellis said, can be measured with a quick comparison to previous pen-test results.

“Spreading that out across a group people, you end up with results that are dramatically comparable to stuff that’s been done in the past,” Ellis said. “Once it’s been done once, you see this was really effective.”

Others are hoping to cash in on the effectiveness of crowdsourcing. The second half of the TrueCrypt audit, for example, is set to commence shortly and will also take this approach in its quest to determine whether the open source encryption software has been compromised by a backdoor.

Project leaders Thomas Ptacek and Nate Lawson are expected to follow a model employed by Ptacek’s company, Matasano Security. Matasano’s Crypto Challenges were a set of more than 40 exercises demonstrating attacks on real-world crypto, exploiting weaknesses in real systems and cryptographic constructions. Those interested in participating emailed Matasano and were sent eight challenges at a time, each stage more difficult than the previous.

That same format could be part of the TrueCrypt audit, said Kenneth White, who along with Johns Hopkins professor and crypto expert Matthew Green kickstarted the Open Crypto Audit Project.

“It’s an incredible way for people to identify researchers rising and promising researchers who are not widely known in the community,” White said. “We have top people collaborating and now with the crowdsourcing, I’m excited about it.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.